.. _version_history_1.35.11: 1.35.11 (June 3, 2026) ======================= Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **http2**: Apply nghttp2 CVE-2026-27135 patch. * **http2**: Fix: `CVE-2026-47774 `_ HTTP/2 streams will now be reset if the stream violates the maximum header list size configured via ``mutable_max_request_headers_kb``. Note that this is different than the per header size specified by ``max_header_field_size_kb``. Uncompressed cookies now count towards this limit to protect Envoys against large uncompressed cookies causing excessive memory usage. Additionally, cookies now also count towards ``max_headers_count`` limits. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.http2_include_cookies_in_limits`` to false. * **load_report**: Fixed an issue upon load-report shutdown race with ADS stream. Introduced proper cleanup of the gRPC stream. * **oauth2**: Fixed a bug where HMAC verification may exposure a timing side channel that leaks information of HMAC secret validity. * **oauth2**: Fixed a crash in the OAuth2 filter where AES-CBC decryption of token cookies could spuriously succeed (~1/256) when the configured HMAC secret did not match the secret used to encrypt the cookie (for example after secret rotation, or when receiving legacy unencrypted tokens). The resulting binary "plaintext" was written back into the ``Cookie:`` request header and tripped a ``HeaderString`` validation assert. Such plaintexts are now rejected and the original cookie value is preserved, matching the behavior already documented for the explicit decryption-failure case. New features ------------ * **stats**: Added support to limit the number of stats stored in each stats scope in the stats library. * **stats**: Added support to remove unused metrics from memory for extensions that support evictable metrics. This is done :ref:`periodically ` during the metric flush.